Repair F13x

And This!

The computer had visited the workshop a week or so previously
(see Repair F135) for getting going after losing a lot of its
EXE and DLL files.

After running an anti-virus program on the hard drive plugged
into a host computer I'd discovered and eradicated a nasty virus.
I'd been a little puzzled however as the signature of the named
virus had not been exactly matched by the effects I'd corrected.
It was therefore not a totally unexpected event when on the 4th
of September I got a phone call from the owner proclaiming that
a number of problems had arisen that day.. and could I help?
I tried a few trial searches for files over the phone and from
the responses began to get concerned that a repeat of the previously
fixed problems had recurred.

On the workshop bench, I tested the recalcitrant machine and
soon discovered that only 50 odd EXE files and 92 DLL's were
visible. With the particular software build in the machine I'd
have expected to see closer to 500 and 1500 respectively so something
was definitely amiss.
I removed the hard drive and checked it on a host computer. "No
virus found", of course was the result. I had used this
version of the virus detector on the same drive before so this
was the result I'd expected.

I discussed the results with the owners. There were two options..
repeat the last fix or reformat the hard drive and reload all
the software. The latter was the chosen option but before I started
I mentioned the modem. When I'd last tried the Internet connection
it had worked but only just. Speed was indicated as 28kbaud
and during the dial-up procedure there were lots of wailing noises.
"Is there any possibility your modem was", I started
to say . "by lightning"... the owner finished
my question! "Yes", I said. "Well funny you should
say that because both our next door neighbours asked me if my
modem had been damaged a few weeks ago because theirs needed
replacing after a storm". I fitted a new modem and both
dial-up and speed were restored to normal.

I started the recovery procedure by saving all the .DOC files.
Next I saved all the files in the Quicken directory as this had
been requested. There were quite a few.
I then typed the command I like doing most . "FORMAT
C:" and after a few minutes the hard drive was cleared of
files. Then I FDISK'd and removed the primary DOS partition.
Next I remembered just. Switch off the mains power and
wait a few moments before switching on again. This is to remove
any memory resident virus that may be lurking. Then FDISK and
load a fresh version of OEM Windows 98.

After this had all been done I loaded the applications software
and added Norton anti-virus. Running the update facility offered
the latest virus definitions which were then downloaded. At this
point in time I connected up the hard drive used for saving the
files.
I ran Norton on the first hard drive and found 30,000 clean files
devoid of any signs of a virus. Then I ran it on the second drive
and went off to do some tidying. When I got back there was a
message waiting. No less than 199 infected files had been discovered.
All were Quicken files and Norton eventually decided the best
course of action was to put them in quarantine as it couldn't
fix them.

The next step was to investigate the virus it had discovered.
This was the VBS.Haptime.A@mm variety and low and behold it was
said to delete as many EXE and DLL files as it could when the
day and month number added up to "13". That was the
very day, September 4th that the owner had reported the problem.
The previous occurrence no doubt being August 5th! Why hadn't
Norton found the virus last time? Because the definition files
had only included it from the 6th September!

The virus had arrived in an E-mail and had set up keys in the
Registry HKEY_CURRENT_USER\SOFTWARE\HELP\COUNT and FILENAME
It had probably E-mailed itself on to others as well. I then
remembered I'd sent several test E-mails to myself but on reading
further I found that Microsoft has written a patch to sort out
a bug in Outlook Express which, it is believed, the virus exploits
to get into other computers. This it can do without the owner
even having to open the E-mail. Thankfully I had run the patch
program a week earlier, perhaps I'm psychic?